Cyber Attacks, Threats, and Vulnerabilities
Alert (TA14-329A) Regin Malware (US-CERT) On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States
Tricky Regin malware poses biggest threat outside US (CNET) The hard-to-detect malware is a Swiss Army knife of clandestine tools to extract information from targets in non-English speaking countries, experts say
IT firms: Likely link between Regin virus, intelligence agency (Deutsche Welle) Software analysts seem to agree that the Regin malware program is so advanced and discreet that it was most likely produced by an intelligence agency. The now-infamous initials NSA and GCHQ are being bandied about
So what if the Regin malware is British — this is just old-fashioned spying, right? (Techworld) Kaspersky Lab and Symantec blew the cover of a cybertool called Regin. Some clues point to the UK
Regin: Another Military-Grade Malware (Schneier on Security) Regin is another military-grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater
Regin malware and why it doesn't change anything (FierceCIO) A closer look at the Regin super-malware, and why hackers are unlikely to copy it
Experts Question Legality of Use of Regin Malware by Intel Agencies (Threatpost) The disclosure of the Regin APT malware campaign this week has spurred much speculation about the source of the attack, with many experts pointing the finger at either the NSA or GCHQ, the British spy agency. Though security researchers involved in uncovering the attack have remained mum on the attribution of Regin, privacy experts say that if one of the intelligence agencies is involved, there's no legal basis for the operation
Regin: The super-spyware the security industry has been silent about (Register) NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds… (Register) FYI this isn't just going to target Windows, Linux and OS X fans
Snowden-Leaks: How Vodafone-Subsidiary Cable & Wireless Aided GCHQ's Spying Efforts (Süddeutsche Zeitung) Previously unpublished documents show how the UK telecom firm Cable & Wireless, acquired by Vodafone in 2012, played a key role in establishing one of the Government Communications Headquarters' (GCHQ) most controversial surveillance programs
'Less' means more to malware authors targeting Linux users (IDG via CSO) Using the "less" Linux command to view the contents of files downloaded from the Internet is a dangerous operation that can lead to remote code execution, according to a security researcher
Sony is the victim of a breach yet again (CSO) Sony was on the receiving end of a cyberattack once again. Hackers managed to take the Sony Pictures website offline on Monday. This isn't Sony's first experience with such attacks, though — Sony has been repeatedly targeted by attackers, up to and including having its Playstation Network knocked offline in August
Hackers suggest they had physical access during attack on Sony Pictures (CSO) If true, the claim takes the situation from bad to worse
Popular security suites open to attack (ZDNet) Your anti-malware system does you no good if it's successfully compromised. Few security suites use ASLR and DEP in all their executables
Vectra Networks' Post Breach Report Reveals Attacker Habits (The VAR Guy) Ten percent of hosts experience at least one or more cyberattacks that bypass enterprise security perimeter defenses, according to a new study by security solution provider Vectra Networks
Emmental hack exposes holes in two-factor authentication (SecureID News) When is a man-in-the-middle attack not a man-in-the-middle attack? When it gains access to bank accounts by skirting text-based two-factor authentication. That's what's happening in an international cyber attack known as Operation Emmental
The rise of account takeovers (Help Net Security) Account takeover fraud is the primary means of attack from fraudsters and attack origins occurring predominantly outside of the U.S., according to NuData Security
Cybercriminals getting ready to shop (Enterprise Innovation) With the share of online sales from personal computers, smartphones or tablets growing every year, cybercrime activities are also on the rise
5 online scams to watch out for this Black Friday and Cyber Monday (Naked Security) Millions of shoppers will be searching for online bargains over the next week
Infographic: The Mall of American Data Breaches (ThreatTrack Security Labs) 2014 was a record year for data breaches, with big name companies like Home Depot, Staples, Michaels and Neiman Marcus all disclosing breaches that affected millions of consumers. Heading into the 2014 holiday shopping season, some security insiders are warning that another big data breach disclosure is only a matter of time
How a virus demanding a bitcoin ransom almost destroyed a public radio station's archives (NiemanLab) But for a fluke in its system, Missouri's KBIA could've lost all its files dating back to 2006
Canada Revenue Agency leaks its own data, hands journalist private tax details (Ars Technica) 18 pages included home addresses and tax credit information of prominent Canadians
Security Patches, Mitigations, and Software Updates
Security updates available for Adobe Flash Player (Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates provide additional hardening against CVE-2014-8439, which was mitigated in the October 14, 2014 release
Adobe Pushes Critical Flash Patch (KrebsOnSecurity) For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits
Cyber Trends
6 Million+ Email Accounts Worldwide Exposed In Past 3 Months (Dark Reading) Spike in number of stolen accounts likely due to uptick in major data breaches, researchers say
You Can't Always Stop a Breach: But You Should Always be Able to Spot One (Continuity Central) December 15th is the anniversary that Target's infamous security breach was discovered; but has anything really changed in the year that has gone by? Retailer after retailer is still falling foul of the same form of malware attack. So just what is going wrong?
Netskope: Most Cloud Apps Are Not 'Enterprise-Ready' (Talkin' Cloud) New study says 89 percent of cloud-based apps are not considered 'enterprise-ready'
Cyber Security Needs Its Ralph Nader (Dark Reading) It took thousands of unnecessary traffic fatalities to create an environment for radical transformation of the auto industry. What will it take for a similar change to occur in data security?
Poll: Many concerned over online privacy, but few acting for security (The Hill) A majority of the global public is concerned about online privacy, but fewer have actually done anything about it, according to a new survey of Internet users around the world
Small Businesses Need to Beef Up Their Cybersecurity Continuous Monitoring, According to CyberRx Survey (BusinessWire) Survey findings highlight themes of cybersecurity awareness, continuous monitoring, and training
Enterprise Wearable Device Use to Soar Despite Security Risks (Infosecurity Magazine) The use of wearable technology devices at work is set to soar over the coming 12 months, but UK IT leaders appear to be taking a worryingly laid back approach to securing them against data theft, according to Trend Micro
Marketplace
Home Depot spent $43M on data breach in one quarter alone (Computerworld) The retailer expects 'significant' ongoing expenses from the breach
5 Game-Changing Cybersecurity Stocks to Buy Now (24/7 Wall Street) As technology initiatives like cloud-based apps, social networking and virtualization have improved and dramatically increased in usage, a problem has also become more and more evident. The cybersecurity risk associated with adoption of these initiatives has grown to the point of being mission critical. A new research note from Oppenheimer points out that the huge Target stores breach represented the first time a CEO was ousted by the board for a major network breach. Don't think for a moment that other highly placed C suite executives didn't take note of the dismissal and want to avoid a similar fate at their respective companies
IPO Stock Watch: Hot IPO CyberArk Software Hits High (Investor's Business Daily) CyberArk Software (NASDAQ:CYBR) was trading at a new high Monday as one of the top-performing initial public offerings this year
Why Raytheon Is A Good Play On The Internet Of Things (Seeking Alpha) Raytheon (NYSE:RTN) is a global defense and aerospace company that focuses on defense systems, intelligence, missiles and many other areas. Shares of the company have performed relatively flat this year, which we feel is unjustified. We think that shares are valued attractively at today's prices. More significantly, however, we feel that Raytheon can return to significant revenue growth as the Internet of Things takes center stage
HP results disappoint ahead of split (ComputerWeekly) HP has announced disappointing fourth-quarter earnings ahead of the company's planned split aimed at reversing its recent decline
Twitter exec Anthony Noto reveals secret company plans in direct message goof (Naked Security) It's fair to say that Twitter's ahead of many of the social networks when it comes to privacy
ControlCase expands into Latin America with "Compliance as a Service" solution (Sys-Con Media) The new venture was announced at a business breakfast attended by compliance professionals from leading banks, merchants and service providers across Latin America
Are ex-hackers the answer to addressing the cyber security skills gap? (ComputerWeekly) There has been a lot written around the KPMG research which indicated that 53% of UK companies would consider hiring ex-hackers to assist in dealing with their cyber security issues. Now considered one of the biggest and most costly threats to UK businesses, cyber crime has been on the rise for a number of years now and the UK's skills resource has been struggling to keep up. Yet the suggestion that companies should look to hire ex-hackers to deal with the epidemic has been met with scepticism by many
Army Cyber branch offers Soldiers new challenges, opportunities (US Army) Soldiers who want to defend the nation in cyberspace, as part of the Army's newest and most technologically advanced career field, now have an Army branch to join that will take its place alongside infantry, artillery and the other Army combat arms branches
Cisco leases 100,000 square feet for Sourcefire headquarters, plans to add jobs (Baltimore Business Journal) Ken Ulman may have lost his bid for lieutenant governor earlier this month, but he's ending his time as Howard County executive with an economic development win
Founder Rejoins EdgeWave to Lead Cyber Security Innovation (Sys-Con Media) Cyber security industry veteran Farley Stewart brings over 20 years of success to EdgeWave
Products, Services, and Solutions
Bitdefender Unveils IoT Security Appliance (PC Magazine) The BOX is a physical network device which the antivirus firm calls "the security solution for the Internet of Things"
Agiliance Wins Homeland Security Award for Third Consecutive Year (BusinessWire) Company's security risk intelligence solution honored as Best Compliance / Vulnerability Solution
OPSWAT Introduces GEARS Security Tool for Mac (PRWeb) This security management application helps Mac users identify if their computer is at risk or compromised, by alerting them to potential malware infections and providing greater visibility and control of installed security tools
SecureData GI launches to deliver contextual threat intelligence delivered as-a-service in the cloud (Virtual Strategy Magazine) Complete cybersecurity service provider, SecureData has today launched SecureData GI (Greater Intelligence); the first completely integrated security intelligence platform, managed in the cloud and delivered as-a-service
Mike Lynch-backed Darktrace takes new approach to security (Techworld) Monitors behaviour of people inside the network instead of trying to keep them out
SecureData takes wraps off threat analysis service (Microscope) Having got used to the idea of using cloud-based security services customers are now looking to take it to the next stage and take advantage of data analysis to get the most out of monitoring their IT environment
ESET to Launch Completely Re-designed, Best-of-Breed Business Security Suite (PRNewswire) ESET®, a global pioneer in proactive internet security protection, today announced a significant transformation in its endpoint security products performance and usability. Building on the experience gained from more than 26 years of developing leading security solutions, ESET will introduce a completely re-designed suite of business security products for enterprise applications and small and medium-size businesses (SMBs) in North America later this year
A10 Networks Thunder TPS (Threat Protection System) Introduces Advanced DDoS Mitigation Capabilities as Customer Adoption and Industry Recognition Accelerates (CNN Money) Thunder TPS 3.1 provides security professionals with programmatic policy control, advanced DDoS mitigation, comprehensive detection, and significant visibility enhancements
Which Antivirus Products Are Best at Protecting Themselves? (PC Magazine) You depend on your antivirus or security suite to protect your data and your devices, but how well does it protect itself? Security software is just software, and subject to flaws, like any other type of program. Coders can take some simple steps to make sure a software flaw doesn't open the program to exploit attack. However, the latest report from German lab AV-Test Institute shows a wide range in how well security vendors armor their products against direct attack
Technologies, Techniques, and Standards
The context-aware security lifecycle and the cloud (Help Net Security) Ofer Wolf is the CEO at Sentrix, a provider of cloud-based web security solutions. In this interview he talks about the challenges of delivering enterprise-grade security, explains the role of the context-aware security lifecycle and illustrates how the cloud is shaping the modern security architecture
Data Management Vs. Data Loss Prevention: Vive La Différence! (Dark Reading) A sensitive data management strategy can include the use of DLP technology, but it also involves a comprehensive understanding of where your data is and what specifically is at risk
10 point smartcard checklist for merchants (CSO) Just about a year from now, retail merchants who currently accept only magnetic stripe payment cards will have to start accepting chip-based smart cards as well
5 PCI Compliance gaps (CSO) Here are five areas where merchants need to pay attention
Cybersecurity for the holidays: A non-stop job (USA Today) The holiday sales season and the online crush that accompanies it might seem a natural field day for hackers looking to attack the small and midsize retailers who depend on these sales to bump them into the black
On Cyber Monday, E-Shopping Should Be the Least of Your Online Worries (Business Management Daily) On Monday, desk-bound employees will be filling their virtual shopping carts, scooping up $4 birdfeeders and two-for-one video games. In fact, a new CareerBuilder survey says
Tips for Safe Shopping on Black Friday and Cyber Monday (Fortinet) In the United States, families will soon be traveling by plane, train and automobile to be with their loved ones to celebrate the Thanksgiving holiday. Large feasts will be prepared, football games will be viewed, and parades watched
Why you should protect your wireless connection (Help Net Security) It's holiday shopping season again, and consumers will join the rush to buy devices and accessories for loved ones. They'll scoop up phones and tablets, plus cases, covers and bags to shield from scratches and bumps. But while they are protecting their devices from physical harm, most will leave their phone's Wi-Fi connection — and their private data — open to exposure
Everything your users ever need to know about BYOD (Register) The essential checklist
How hospitals handle mHealth security (FierceMobileHealth) Mobile devices and apps increasingly are being used in healthcare settings, and with that comes greater risk to the security of patient information
Design and Innovation
NSA partners with Apache to release open-source data traffic program (ZDNet) The National Security Agency has released a new open-source program for data network interoperability
Hacking cars: Automakers put high priority on cybersecurity (San Jose Mercury News) Against the team of hackers, the poor car stood no chance
The branded bug: Meet the people who name vulnerabilities (ZDNet) Opinion: As 2014 comes to a close, bugs are increasingly disclosed with catchy names and logos. Heartbleed's branding changed the way we talk about security, but is making a bug 'cool' frivolous or essential?
Research and Development
Brain Science and Browser Warnings (Threatpost) Browser and other types of security warnings generally don't stop computer users in their tracks, especially when they're in the middle of some task. Clicking through them seems to be the accepted response, rather than to halt and evaluate the situation
Academia
A new free online course in Cryptography by University of Maryland (Decentralize) Historically, cryptography was used to ensure private communication between two people with some prior relationship. More recently, its scope has expanded to include things as diverse as data integrity, secure internet-wide communication, electronic cash, secure distributed computation, and more
A Cybersecurity Ph.D. May Be Just What's Needed for the Future of Higher Ed (EdTech) The next generation of IT experts will have their pick of several job opportunities
Programs Aim to Fill Cybersecurity Skills Gap (eSecurity Planet) Symantec's Cyber Career Connection and the Air Force Association's CyberPatriot program both aim to address the cybersecurity skills gap
Legislation, Policy, and Regulation
U.N. Urges Protection of Privacy in Digital Era (New York Times) The United Nations adopted a resolution on Tuesday urging all countries to protect the right to privacy in digital communications and to offer their citizens a way to seek "remedy" if their privacy is violated
U.S. Said to Cite Islamic State in UN Anti-Spying Text Talks (Bloomberg BusinessWeek) The U.S. cited the threat posed by Islamic State to avert a United Nations condemnation of collecting metadata in an anti-surveillance resolution backed by Germany and Brazil, diplomats said
EU companies unaware of proposed data protection law (ComputerWeekly) More than half of European companies do not know about legislation planned to unify data protection laws, according to Ipswitch
Patriot Act Deadline Threatens to Splinter NSA Reformers (National Journal) Stinging from defeat, some privacy advocates want to let parts of the Patriot Act sunset next year. But not everyone is ready to take the plunge
NSA Telephone Data Collection Program Not Based on ‘Secret Law,’ Says Former Intel Staffer (Roll Call) All that talk about "secret law" as the foundation for the allegedly illegal National Security Agency telephony metadata program? Hogwash, writes a former House Intelligence Committee staffer in the National Security Law Journal
Is "Secret Law" Really Either? (National Security Law Journal) After the U.S. Government disclosed the bulk collection of telephony metadata pursuant to Section 215 of the USA PATRIOT Act, debate arose as to whether Congress intended the provision to be interpreted to allow such collection. In addition, debaters wondered whether such interpretation constituted "secret law" inasmuch as it was not widely known among legislators or the public. These issues are best understood within the evolving legal
structure surrounding intelligence activities, as well as in light of congressional rules governing legislation and oversight related to such activities. Congressional controversy over the intended scope and meaning of previously enacted legislation is nothing new, but as a matter of law and parliamentary procedure, Section 215 should be considered as properly reenacted and authorized as a basis for the activities at issue
Michèle Flournoy Takes Herself Out of Running for Top Pentagon Job (Foreign Policy) Michèle Flournoy, widely seen as the front-runner to replace Chuck Hagel as the next secretary of defense, abruptly took herself out of the running for the job Tuesday, complicating what will be one of the most important personnel decisions of President Barack Obama's second term
San Francisco DA pushes for chip payment cards in tech's backyard (IDG via CSO) Chip-and-PIN payment cards have a strong supporter in the hotbed of payment technologies, with San Francisco's district attorney promoting the new technology as a way to cut down on fraud
Litigation, Investigation, and Law Enforcement
Home Depot hit with "at least 44 civil lawsuits" due to data breach (Ars Technica) "Home Depot…not encrypting the data at all, or using lax encryption standards"
Tech firms anti-terrorism efforts criticised in Rigby report (BBC) The Intelligence and Security Committee (ISC)'s report into the murder of Fusilier Lee Rigby suggests there was a "significant possibility" MI5 could have prevented the attack had its officers been aware of an online exchange in December 2012 between Michael Adebowale and a person codenamed Foxtrot
Oops: After Threatening Hacker With 440 Years, Prosecutors Settle for a Misdemeanor (Wired) Thanks in part to America's ill-defined hacking laws, prosecutors have enormous discretion to determine a hacker defendant's fate. But in one young Texan's case in particular, the Department of Justice stretched prosecutorial overreach to a new extreme: about 440 years too far
Microsoft Leverages IoT Tech to Combat Online Fraud (eWeek) The software giant is banking on the Internet of things and the cloud to help law enforcement combat cyber-criminals
Breach Reported After Vendor Dispute (GovInfoSecurity) An ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, has led the state agency to report to federal authorities that the business associate was responsible for a data breach affecting 2 million individuals
Murder-for-hire suspect gets new ACLU ally in battle against phone spying (Ars Technica) Baltimore man was located, searched earlier this year after use of a stingray